Home‎ > ‎



To make a change, the first step is admitting to having a problem. Taking the view that technology is not the problem, people are the problem, it becomes necessary to change behavior, and security consequently revolves around psychology.

Cybersecurity can be viewed from an architecture perspective, where any security failure is a failure of the architecture. Many networked technologies have no inherent effective security. The architecture of the internet, and most deployed software, leaves ample opportunities for malicious exploits. Where infrastructure and software are engineered properly, they would withstand known and manage unknown risks.[1]

Conventional wisdom is that systems with up-to-date antivirus signatures are safe. However, there has been an explosion in malware signatures due to polymorphic malware techniques. Changing a single literal in malware is sufficient to fool hash-function signature-based detectors. Similarly, varying character encoding, encryption and random padding, changes malware signatures.

Several solutions to detecting zero-day and polymorphic signatures are being attempted. For example, Symantec mines data from its more than hundred million customers to identify potential malware signatures. Such a reputation based system identified 600,000 new signature variants a day in 2009, some 240 million new threat hashes that are corroborated on this network. It is unfeasible to create, test and distribute such a large volume of signatures that may affect only a few users.[2]

For example, FireEye has developed a behavioral intrusion detection system (IDS) that uses honeypots and forensics to identify malicious content, as is moves across corporate networks. An emerging behavioral antivirus product is ThreatFire.

Entropy-based malware detection looks for mathematical similarities to known malware signatures. Suspicious files have similar entropy measures as malware.

Document-driven certification and accreditation

Assessment & Authorization (A&A), earlier called Certification & Accreditation (C&A) has attracted much public criticism because it is regarded as a paper-driven process that does not provide security from real threats. Certification is an assessment and testing phase that identifies and confirms vulnerabilities while accreditation is an executive approval phase that accepts risks discovered. Pre-certification involves security documentation and reviews.

Often in corporate environments, testing is superficial and inadequate using policy scanners that check registry and configuration settings. Penetration testing meanwhile is more thorough.

The SANS institute has stated publicly that paper-compliance security regimes should be replaced with hands-on technical security expertise. Nonetheless, for reference, there are hundreds of published National Institute of Standards and Technology (NIST) standards including,

NIST SP 800–39

Integrated enterprise-wide risk management processes across entire portfolio of systems and business activity

NIST SP 800–37

Lifecycle risk management

NIST SP 800–30

Single system risk assessment

NIST SP 800–53

Standard catalog of security controls, for all of information security.

NIST SP 800–53A

Guides on implementing security controls, including test, interview, and review processes.

The implicit goal of paper-based professional security certifications such as the Certified Information System Security Professional (CISSP) is to produce articulate professionals who can communicate with management. This does not necessarily counter emerging cyber threats. A Center for Strategic and International Studies (CISP) report stated that, “the current professional certificate regime in not merely inadequate, it creates a dangerously false sense of security," emphasizing security compliance on paper versus combating threats. This view is unpopular among security professionals.

Addressing enterprise security issues

The following specialized skills should be available on-demand from enterprise security teams,

Network Device specialists

Vendor-certified specialists with deep knowledge, certified by the likes of CISCO and Novell.

Operating System Security specialists

Configuration and hardening specialists, certified and trained by Microsoft, Oracle, and Redhat.

Database Security specialists

Specialists in configuring the security of databases.

System Forensics specialists

Capable of in-depth analysis, creating chains-of-evidence, and similar forensic investigation techniques.

Reverse-engineering Malware specialists

Capable of capturing malware and analyzing their characteristics to permanently eradicate them from enterprise networks.

Causal analysis of threats and incidents yields contexts and causes, that may be addressed by an evolutionary solution, within existing paper-based certification frameworks and enterprise processes. The decision to plug gaps may also evaluate alternative re-factored solutions addressing symptoms and consequences of scenarios, that in-turn have their benefits, dependencies and consequences.


Security awareness and insecure behavior

End users’ lack of security awareness puts confidential information, that they have access to and in their control, at risk. Social engineering exploits the inherent tendency of people wanting to help others, or not fully understanding the security consequences of their seemingly casual actions such as opening malicious attachments, in addition to conscious collaboration with malicious intent. A lack of recurring security awareness training for all end users, and management and co-worker awareness of backgrounds, beliefs and intentions, are potentially the only remedies, for deliberate behavior. Making systems fool-proof addresses unconscious behaviors.

Unpatched applications

All defects are potential security threats, that may propagate threats. Enterprise patch management software is widely deployed in corporations, even as several corporations manage patches manually. Systems with default configurations on production networks are the larger threats. There is folly in not reviewing and acting on CERT, vendor and similar security advisories, in a timely manner.

Not reading logs

Network Operating Centres (NOC) are facilities that continuously generate and display system and network status. Systems, network and security devices generate messages about events to centralized management applications that test for alarm conditions to highlight. Often, filters are applied to eliminate false positives from Intrusion Detection and Prevention Systems (IDS and IPS), and frequently logged or verbose generators are ignored. This overlooking provides cover for threats to go unnoticed.

Rule-bound network behavior

Assuming that rule-defying malicious applications are not present, or unwanted activity is not happening on networks, opens up networks to continued exploitation. Any unencrypted communication, not monitoring networks for malformed protocols and packets, and absence of secure authentication, are common causes.

Securing from external threats, not internal

Traditional network architectures have three domain boundaries, the Internet (DMZ), data centre Storage Area Network (SAN), and the intranet. Network security often concentrates on the DMZ and Internet, employing firewalls, and IDS/IPS. In practice, there are few internal protections and active monitoring on the intranet. Insiders have legitimate network credentials and knowledge of the most valuable information. Key-loggers, password sniffers, system administrator credentials, guessing passwords based on published information on social networks or brute-force testing similar passwords, and the like are relatively simple hacks. Host-Based Security Systems (HBSS) should be implemented to counter such threats.

Adopting cloud and web-based solutions

Cross-site scripting and cross-site request forgery are known threats from adopting cloud-based solutions over the insecure Internet, or on falsely assumed to be secure intranets. Software Virtual Private Networks (VPN) provide out-of-band separation of communications across public networks, preventing sniffing. Physically separated computers may be used for all financial transactions, for example.

Security compromised for time, effort and expertise availability

Security not being part of requirements, saving on development costs and time at the expense of security, overdue projects skipping comprehensive testing, shared administrator accounts and untrained developers are common causes and symptoms. Assuming security from obscurity, particularly of closed systems, that are deployed trusting external providers and often not actively monitoring deployments is another serious loophole.

Zachman Framework

The Zachman Framework by John P Zachman provides a reference for analyzing and describing enterprises in all their complexity. The interrogatives include, What? How? Where? Who? When? and Why? Each enterprise hierarchy has, executives, business management, architects, engineers, technicians, and users. Each ask the same six questions.

[1] Thomas J Mowbray. Cybersecurity: Managing Systems, Conducting Testing, and Investigating Intrusions. John Wiley & Sons, 2013.

[2] https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/reputation_based_security.pdf